DEV Community: Keerthika K

Ever heard of Cryptographic Failure? 👀 Here’s why it’s chilling in the OWASP Top 10 😎

Keerthika K — Sun, 07 Sep 2025 07:14:59 +0000

Keerthika K

Sep 4 '25

Cryptographic Failure (Worked hard to sit here in OWASP Top 10 😎)

#cybersecurity #programming #beginners #infosec

Comments

2 min read

Cryptographic Failure (Worked hard to sit here in OWASP Top 10 😎)

Keerthika K — Thu, 04 Sep 2025 17:37:31 +0000

Buzz word Cryptography means?? 🔮
Converting data from a readable format to an unreadable format is called ciphertext. We achieve this using various encryption algorithms. It acts like a lock so a hacker cannot see what’s inside your home (here, the message). And just like every lock needs a key, the same concept applies here — a cryptographic key is provided to decipher the message back to its actual form.

“The Cryptographic Failure” 🦸🏻‍♀️ means??
It can be caused by various things. Some common reasons are:
🕐 Not handling cryptographic keys properly
🕑 Using outdated encryption algorithms 😿
🕒 Misconfiguration of encryption algorithms

Okayy guys, does it cause risks??
Yes, of course bro 🚨
• The brand reputation you built for years can be demolished in seconds (reputation damage)
• Your sensitive data will go into hackers’ hands

Real Example: The Heartbleed Bug 💔
This bug was found in an old OpenSSL cryptography library and occurred due to improper input validation. It was classified under a buffer-over-read vulnerability. It was fixed on April 7, 2014 🔐.
This bug was identified by Neel Mehta, Riku, Antti, and Matti. Due to the flaw in the TLS heartbeat extension, it got its name as Heartbleed.

How do hackers exploit cryptographic failures?
By:
• Intercepting your conversations (Man-in-the-Middle attack)
• Trying various passwords (brute-force attacks)
• _Discovering weak or exposed keys _and using them
So always follow standard security practices.

Time for superheroes to learn Prevention Techniques 🦸🏻
1️⃣ Update yourself and use modern cryptographic standard algorithms
2️⃣ Manage your keys properly _— store them securely, and ensure they are unique every time
3️⃣ Do _regular security testing (dynamic scenarios), audits, and fix problems early
4️⃣ While transmitting, also use _secure protocols _(e.g., HTTPS)

Finallyy ✨
Security is not meant only for giants — it’s for everyone.
Become a superhero by securing your applications 🤗
Thanks for reading! If you found this helpful, drop your thoughts in the comments (❁´◡`❁).
🤔What cybersecurity topic should I cover next? 😅

🔐 Broken Access Control (BAC) – A Key OWASP Top 10 Vulnerability (2025 Edition 😎)

Keerthika K — Tue, 02 Sep 2025 16:36:42 +0000

What is Access Control in Cybersecurity? 🤔
Access control is a security mechanism that decides who can view, modify, or delete data.
When access control is not properly configured (Broken Access Control), attackers exploit it to steal, modify, or delete sensitive user data. This makes BAC one of the most dangerous OWASP Top 10 vulnerabilities.

⚠️ Types of Broken Access Control Vulnerabilities

Horizontal Privilege Escalation 🚥 Example: Person A and Person B both have the same permission level (say, viewing only their bank info). But with BAC flaws, Person A can also view or change Person B’s bank details—a clear violation of data privacy.
*Vertical Privilege Escalation *🚦 A normal user (low-level) exploits BAC to gain admin-level access, leading to severe security breaches such as deleting accounts or modifying system data.
Context-Dependent Privilege Escalation 🎭 (aka the smart hacker move) Example: A user adds items to their cart and checks out. With BAC issues, they can manipulate the payment amount. Another case: performing actions in the wrong sequence (like skipping payment) also arises due to broken access control.

😟 Why is Broken Access Control Dangerous?
• Sensitive data exposure → Attackers can view, modify, or steal confidential information.
• Account takeover risks _→ Hackers can impersonate other users.
• _DDoS attacks using stolen data → Fun fact: attackers may even weaponize your stolen data to launch Distributed Denial of Service (DDoS) attacks.

🛡️ *How to Prevent Broken Access Control *(Best Practices)

Continuous Security Testing – Regularly identify & patch access control flaws.
CORS Protocol Usage – Configure Cross-Origin Resource Sharing (CORS) properly to prevent unauthorized requests.
RBAC (Role-Based Access Control) 🏃🏻‍➡️ – Assign permissions based on roles, reducing privilege misuse.
_Permission-Based Access Control _🔛 – Ensure systems check if a user role has required permissions.
Mandatory Access Control (MAC) ⚔️ – Limit sensitive data access only to administrators, based on data classification & sensitivity. ________________________________________

✅ Conclusion
Broken Access Control is not just a theoretical risk—it’s a real-world cybersecurity threat recognized in the OWASP Top 10 (2025).
By implementing strong access control mechanisms, organizations can:
✔️ Protect sensitive data 💾
✔️ Prevent privilege escalation 🚫
✔️ Strengthen overall cybersecurity posture 🔐
💪 Build strong access control. Stay worry-free 😮‍💨.

👉 Thanks for reading! If you found this helpful, drop your thoughts in the comments (❁´◡`❁).
🔥 What cybersecurity topic should I cover next? 😅

SQL Injection (Got a place in the OWASP Top 10) 🧑🏻‍💻

Keerthika K — Thu, 21 Aug 2025 17:27:49 +0000

SQL Injection (Got a place in the OWASP Top 10) 🧑🏻‍💻

Definition:
As the name says, the attacker injects malicious SQL code into the database through user input fields

Are these harmful?⚠️
These queries can retrieve, modify, or delete data (data integrity issue), escalate privilege, and give unauthorized access to sensitive data. Sooo, leaving it to you to decide whether it’s harmful or not… 😏

Occurs Due To…? 🤔
Mostly Developer! 👨‍💻👩‍💻 Yes, you heard that right. Whenever developers do not properly sanitize input and simply insert user input into the database, the bad guys (attackers) take advantage of it.
Example:
select * from bank where user_id=1867 or 1=1
Since 1=1 is always true , it bypasses normal authentication and the query is successfully executed.

Wanna know deeper..? Let’s explore the types of SQL injection (mainly 5) 🔍

In-band SQL Injection Same as above—here, the attacker uses the application interface and sends the query. As simple as that, but extremely common ⚡
Out-of-band SQL Injection Rare but dangerous 😈 (evil laugh). Bad guys use different communication channels to steal data from the database.
Error-based Learning from flaws 🪲 Yes, the attackers do this too. They learn about the DB structure/schema from error messages and use them for attacks.
Blind SQL Injection Try, try, try... 🎯 Ahhh, the attackers follow this too. They observe the behavior of the application by using different boolean conditions and gather info about the DB.
Time-based SQL Injection Delayed time ⏳—no worry, unless the query runs successfully. Attackers send a query with a time delay and, based on response time, can tell if their query worked or flopped. Example: select * from user where id=265 and sleep(5); ________________________________________

Prevention is Better than Cure 🛡️ (Maintain hygienic practice in coding too 😭😭)

✅ Use prepared statements & parameterized queries—these treat user input as ‘data’, not as part of the SQL query.
📦 Stored Procedures can Avoid dynamic construction of SQL queries.
📝 Whitelist input by validating before using them in queries.
⚙️ Use ORM frameworks (Hibernate, Entity Framework), as these automatically handle query generation and can help block dynamic queries.
🔒 Restrict privilege and provide only required privilege for users—don’t allow DROP or ALTER permissions for everyone.
🐞_Handle errors wisely _by displaying only generic messages to the user.
🛠️ Use automated tools like SQLMap, Burp Suite, OWASP ZAP for scanning vulnerabilities.
🕵️ Perform regular penetration testing with a pen tester.
📚 Follow secure coding practices _and educate everyone around you. _______________________________________

So I am concluding by saying,✨
“Stay aware, build wise, stay safe.” 💡
Thank you for reading 🙂
If you have any doubts, kindly drop them in the comment section 🤷
What topic should I cover nexttt..?

Think before you click .

Keerthika K — Thu, 21 Aug 2025 17:17:58 +0000

Keerthika K

Jul 14 '25

🧠 Think Before You Click: Real-Life Phishing Attacks You Should Know 👀

#cybersecurity #security #infosec #beginners

Comments 3

2 min read

🧠 Think Before You Click: Real-Life Phishing Attacks You Should Know 👀

Keerthika K — Mon, 14 Jul 2025 07:55:07 +0000

Imagine one fine evening, you get a sudden message from your bank:

“Your account has been blocked. Click here to fix it.”

You're tensed. You panic. You click it.

BOOM.
Hackers now have your credentials.

Haha… (evil laugh)

Welcome to the world of phishing attacks — where hackers don’t break in, they trick you into opening the door.

🧭 What is Phishing?

Phishing is a cyber attack where the hacker pretends to be a trusted source and sends you an urgent message, usually to create panic.

They trick you into clicking a link, filling out a form, or downloading something shady — and steal your info (passwords, PINs, credit card details... you name it).

These digital thieves come disguised as:

Fake emails
Fake SMS
Even fake websites that look scarily real (UI 10/10, intentions 0/10 💀)

🎭 Types of Phishing Attacks

There are mainly 6 types — let’s break them down:

1️⃣ Email Phishing

Mass emails with fake links, hoping someone clicks.

But not you — you’re smart 😌

2️⃣ Spear Phishing

Targeted attacks aimed at a specific person like a CEO, manager, or even you if you're vibing too high.

3️⃣ Smishing

SMS-based phishing.

“Your FASTag is blocked. Click to recharge.” No ,not falling for it.

4️⃣ Vishing

Voice-based phishing via phone calls.

“Hello Sir, I’m from your bank. Kindly share your OTP.”

Never. Ever. Do. That.

5️⃣ Clone Phishing

A legit email is copied and resent with malicious attachments.

E.g., Yesterday’s bank statement becomes today’s malware if you’re not careful.

6️⃣ Whaling

Big fish scam: Emails that look like they’re from your CEO or manager asking you to share login creds or perform urgent tasks.

“Hey, can you share your password? Need it urgently.” — Bro, no.

🚩 How to Spot a Phishing Attempt

Be on high alert when you see:

Urgency traps: Words like urgent, alert, EOD, limited time
Fishy sender emails: support@amaz0n.in
Shortened links: bit.ly/paytmsecure
Grammatical mistakes: Spelling errors, weird formatting
Requests for sensitive data: OTP, PIN, login info, or card numbers

🛡️ How to Protect Yourself (The Real Flex)

Pause. Breathe. Read before you click.

✅ Don’t click suspicious links — open apps or type the official URL

✅ Verify with the sender/company before sending money or info

✅ Use 2FA (Two-Factor Authentication) on all accounts

✅ Keep your software updated and use antivirus

✅ Report phishing emails to CERT-IN or your email provider

💌 Drop your thoughts, questions, or phishing stories below.

Let’s create a community where hackers don’t stand a chance.

Thanks for reading! 🔐💻